India has recently witnessed a spate of new regulations and amendments, which will soon have a significant impact on how online gaming businesses operate and the regulatory compliances that they undertake. In this crisp round-up, we cover three important recent regulatory developments that every online gaming operator offering their products in India should be aware of. Each of these developments affect important aspects of an operator’s real-money gaming business in India viz. taxation, data protection and verification of online real-money games.
Taxing times for online real-money gaming
In mid-July, India’s Goods and Service Tax Council (GST Council), a constitutional body responsible for making recommendations on issues related to the implementation of the Goods and Services Tax (GST), recommended imposition of 28% GST on the face value of the bet/entry fee in online gaming. Though this was slightly modified subsequently to mean 28% on the initial deposit made by a player with the platform rather than each bet/entry, the recommendations are a body blow to the burgeoning online gaming industry in India. Not only have these recommendations, in effect, obliterated the distinction between games of skill and chance as far as taxation is concerned but arguably also fall foul of the constitutional prohibition against treating unequals equally.
The taxation regime for online gaming was under deliberation for more than two years. A Group of Ministers (GoM) was first constituted by the GST Council in May 2021 and then re-constituted in February 2022 to examine the taxation for casinos, horseracing and online gaming. The first report of the GoM, which was placed before the GST Council in June 2022, had recommended charging GST at a fixed rate of 28% on the entire face value of the stakes, irrespective of the nature of the online game (whether it be of chance or skill). However, the GST Council could not arrive at a decision at that time and had asked the GoM to deliberate further and submit an amended report. The GoM had submitted a revised report in December 2022 but, in the absence of a consensus within it on the issue of GST valuation, had left the final decision to the GST Council.
So, now, if a user intends to add INR 100 to her in-game e-wallet, INR 28 will be additionally charged as GST (under the head of ‘supply of actionable claims’). Reapplication of winnings earned from a past contest of online game will not be subject to the 28% GST. Separately, winnings from online gaming above INR 100 will be subject to a tax-deduction-at-source (TDS) under income tax laws at the rate of 30%, which will be triggered on each withdrawal or the year-end balance in the e-wallet.
It is important to note that the GST Council has also recommended that foreign real-money gaming operators will have to mandatorily register themselves through a simplified registration process to discharge their GST obligations under this new regime. Platforms of non-compliant foreign operators will be blocked.To give effect to these recommendations, suitable amendments to the central and State-level GST laws are required.
On 11 August 2023, both Houses of Parliament passed the relevant amendments to the central GST laws and the same received presidential assent soon after. The States are now expected to soon enact the necessary amendments for their GST laws. Additionally, key amendments relating to rate and valuation are also pending to be prescribed by way of amendments to the relevant rules and notifications. This new taxation regime is expected to come into force by 1 October 2023, and the GST Council has agreed to review its recommendations after six months of the new regime coming into force.
A new dawn for personal data protection in India
On 11 August 2023, the Central Government published the much-awaited Digital Personal Data Protection Act, 2023 (DPDP Act) in the Official Gazette, thus setting the stage for the first-of-its-kind overarching personal data protection law for India. India has witnessed various iterations of a personal data protection law over the years, which have been introduced by the Central Government – the first of which was introduced in 2018 but was soon withdrawn.
Subsequently, in 2019, another rendition titled the ‘Personal Data Protection Bill, 2019’ was presented before a Joint Parliamentary Committee, which tabled its report along with a revised rendition of the bill titled the ‘Data Protection Bill, 2021’ before the Indian Parliament in December 2021. The Data Protection Bill 2021 was thereafter brought up for consideration before the Indian Parliament but later withdrawn.
The DPDP Act is now the fourth and final iteration of the personal data protection legislation in India. It was first presented before the Lower House of the Indian Parliament, which passed it on 7 August 2023. The Upper House of the Indian Parliament subsequently passed the bill on 9 August 2023. On 11 August, pursuant to receiving Presidential assent, the DPDP Act was published by the Central Government in the Official Gazette.
India has witnessed various iterations of a personal data protection law over the years
Key aspects of the DPDP Act: The DPDP Act narrows its focus to the protection of ‘digital’ personal data, which is understood as any personal data in the digitised form about an “individual who is identifiable by or in relation to such data.” It seeks to regulate the processing of personal data in a manner that recognises the right of individuals to protect their personal data, and acknowledges the need to process personal data for lawful purposes. It prescribes various obligations on ‘data fiduciaries’ and ‘significant data fiduciaries’ while processing the personal data of ‘data principals’ (i.e. the user).
Applicability: The DPDP Act regulates the processing of personal data within India when collected in the digital form or in non-digital form and subsequently digitised. It also extends to the processing of personal data outside India if it relates to offering goods or services to data principals located in India. However, any data made ‘publicly available’ by the relevant data principal remains outside the purview of the DPDP Act.
Obligations on data fiduciaries: Various obligations are stipulated for data fiduciaries while collecting, processing and sharing personal data, including, inter alia, stricter notice and consent requirements, obligations while processing personal data of children and persons with disabilities, obligations in instances of personal data breaches, obligations to update, correct and erase personal data and to provide data principals the option to withdraw consent, establishment of a grievance redressal mechanism, etc.
Legitimate uses: Data fiduciaries can process personal data without the prior consent of data principals for certain ‘legitimate uses,’ including when the data principal has voluntarily provided their personal data for a specified purpose and has not explicitly signified that they do not consent to such use. Penalties: Monetary penalties of up to INR 250 crore ($30.3m) have been prescribed in cases of non-compliance with the provisions of the DPDP Act.
What’s next? Most importantly, the Central Government is yet to notify the date on which the provisions of the DPDP Act will come into force (different dates may be notified for different provisions). Hence, the provisions of the DPDP Act are currently not in force. Until such time as the DPDP Act comes into force, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 framed under the Information Technology Act, 2000 will continue to apply.
Industry awaits designation of self-regulatory bodies for online gaming
In April 2023, the Central Government had notified a new legal framework for online gaming through amendments to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021. These amendments (Online Gaming Rules) propose a light-touch, co-regulatory regime whereby government-recognised, but independent self-regulatory bodies (SRB) will verify whether an ‘online real money game’ is to be permitted or not – in accordance with the baseline criteria prescribed by the Online Gaming Rules.
The Online Gaming Rules will regulate online gaming platforms by treating them as an “online gaming intermediary” and by prescribing due diligence obligations for them. However, the obligations under the Online Gaming Rules will come into effect on the expiry of three months from the date on which the Central Government recognises a total of three SRBs.
However, at press time, no online gaming SRB has been designated by the Central Government. Initially, it tried to expedite the process of applications by potential SRBs, by stating that it would commence verifying online games itself if the industry did not set up the SRBs as required under the Online Gaming Rules. But even after four applications being filed, the Central Government is yet to approve the applications and designate them as online gaming SRBs. One of the reasons which could have impacted the designation process is a recent petition that was filed by an NGO in the Delhi High Court questioning the constitutional validity of the Online Gaming Rules.
The petition is currently pending at the preliminary stage. As per news reports, the four SRB applications have been made by (i) The Esports Players Welfare Association (EPWA), (ii) a consortium supported by two gaming industry associations — the E-Gaming Federation (EGF) and the Federation of Indian Fantasy Sports (FIFS); (iii) the All-India Gaming Federation (AIGF) and (iv) the All-India Gaming Regulator (AIGR) Foundation.
